In my January post, I promised to share my thoughts on what is needed, and what can be done, to comprehensively addresses how companies can better "Know what they don't know," while improving their internal control strength to minimize unwelcome surprises that can damage employee morale, alienate customers, alarm regulators, disappoint shareholders, and, in essence, ruin their reputation.

I begin that task with this post, but it will take several more to cover all of that ground. I intend to make the case for an enterprise GRC solution. But first, as is the case with any technological change, it is imperative that the business environment, both internal and external, be taken into account. Moreover, it is the people, as much as the business workflows, which must be "in sync" with the new operational and corporate vision. Thus, it is necessary to foster a "GRC Culture and Mindset" in advance of any technological changes. This post considers what is involved in engineering a successful transition to an enterprise GRC Program, supported by an Enterprise GRC solution.

Corporate culture is the foundation for any business. It dictates how employees will treat customers, and one another, and it molds the kind of image and brand reputation that management desires. It is worth the trouble to explicitly lay out, as a matter of corporate policy, the core values for the culture, including the “definition of success.” This is Step 1 in a five step cultural engineering process, as depicted in the process diagram above.

Success is not just about winning. Famed basketball coach John Wooden drove that point home when he talked about “doing one’s best to become the best that one is capable of becoming.” He devised a “pyramid of success,” which identifies key elements to achieving success. Those elements apply as much to corporations as they do individuals and sports teams. These elements include adaptability, resourcefulness, initiative, cooperation, reliability, honesty, sincerity, integrity, and so on.

The definition of cultural values also entails the development of codes of conduct for both individuals and departments within the organization.

For example, an issue surfacing culture would have whistle-blower protections to ensure that messengers exposing wrong-doing are not “shot.” Cultures based upon fear, deception, manipulation and coercion as a means to maintain control over the workforce and achieve target levels of productivity are not sustainable. Any rouge business unit managers who subscribe to the writings of Niccolo Machiavelli (The Prince) or Robert Greene (The 48 Laws of Power) will ultimately fail and their conduct and actions could have severe consequences for the company at large. Fact is that power is exercised most effectively when it is used prudently and responsibly by leaders and managers that are “plugged-in’ to the needs and interests of their customers, employees and shareholders. In any culture, there is always exposure to those who seek to win at any cost, or who work against team or company decisions in pursuit of their own agenda. The graphic above drives home the importance of how a corporation, and its agents, "play the game to win."

An Enterprise GRC solution can enable a company to reduce the probability of compliance violations because it helps to ensure that policies are well-maintained, especially relative to regulatory changes. It can provide effective access to information and disseminate it, in addition to aggregating it, across an enterprise. It can continuously monitor risk and compliance exposures and internal controls, in addition to employee training and customer sentiment. I will have much more to say about that in subsequent posts.

Let's return to our discussion of corporate culture. After the core values are identified, Step 2 is to communicate those values. This entails developing training plan, including deciding how the training will be delivered, creating the educational and training material and examinations themselves, administering the training and following up as needed to ensure a 100% pass rate for the company. A sample high-level workplan for Step 2 appears to the left.

Step 3 in the process is to promote the core values so as to build awareness within the organization. This will lead to Step 4, their adoption at both the individual employee and the business unit level and, with it, a corporate mindset that transcends individual departmental boundaries. In Step 5, reinforcement is accomplished through incentives and penalties in order to maximize compliance with all applicable laws, regulations, corporate polices and the code of conduct.

There is a great deal more to be said about corporate culture. It has a direct impact on strategy execution, and I have developed a six primary factor framework that can be used to monitor and influence the success of a business strategy. I plan to describe in a future post, so be sure to keep a look out for it. In my next post I will continue with the current theme to discuss policy and compliance aspects of an enterprise GRC Program, followed by a post on assurance and the audit component. I will conclude with a post on the risk management side of a GRC Program. All three areas can be integrated to help companies run more efficiently and safely and to better "Know what they don't know," while improving their internal control strength to minimize their reputation risk.

About this blog

Clark Abrahams has been with SAS for a decade. A 2011 NACD Governance Fellow, Clark previously worked three decades in various management positions dealing with credit, risk and finance, culminating in a bank executive role reporting directly to the board. He currently serves on the PERC Advisory Board. Clark is a strong proponent of high-performance analytics (HPA), which he envisions will enable quantum leaps in business strategy, problem-solving and decision-making. Clark has been awarded five patents and has two more in the works. Clark has co-authored several books on risk, complinace and decision making: